SlideShare une entreprise Scribd logo

PCI DSS in Pictures and What to Expect in PCI 3.0

Praveen Vackayil
Praveen Vackayil

Presentation summarizing PCI requirements. Also includes a sneak preview of what to expect in PCI DSS 3.0.

Technologie
1  sur  27
Télécharger pour lire hors ligne
www.sisainfosec.com Praveen Joseph Vackayil CISSP, PCI QSA, CCNA, ISO 27001 LA, MS, BE
Introductions
SISA Consulting PCI DSS •PCI QSA Validation Services (PCI-DSS) •PCI ASV Scanning Services (PCI-DSS) •PCI Assurance Services (SAQ) PA DSS •PA QSA Validation Services (PA-DSS) Advisory •Risk Assessment (IS-RA) •Privacy and Standards Compliance (ISO 27001, GLBA, HIPAA, DPA, COBITFISMA, BS 25999) •Application Pen Test and Code Review •Network VA and Pen Test •Forensics Training •CPISI – PCI DSS Implementation •CISRA – Risk Assessment Implementation •OCTAVE (SEI-CMU) Security Risk Assessment Workshop •ISO 27001 Implementation Workshop •Business Continuity Management Workshop •Secure Coding in Dot-Net •Awareness Sessions Products •SISA Security Assistant Compliance Management Tool for •PCI DSS •HIPAA •FFIEC •FISMA •ISO 27001 •Application Security
•SISA Information Security Pvt Ltd, Asia •SISA Information Security Inc., Americas •SISA Information Security WLL, EMEA Consulting– Training –Products Customers in 25 Countries About SISA Our customers are some of the world’s biggest Banks, Merchants, IT, BPOs and Telecoms
PCI DSS
1. Network Diagram •Formal •Comprehensive 2. Network Device Administration •Change Management •Console Connections •Remote Connections 3. Network Device Maintenance: •Business Justifications •Firewall Rule Review every 6 months 4. Placement of Firewalls: •Between Internet and DMZ •Between DMZ and Internal Network 5. Configuration of Firewalls: •Stateful Inspection •Filtering Traffic between Internal and External network •NATting for internal IP Addresses
1. No Defaults •Username: administrator, system, cisco, infosys •Password: 0000, 1234 2. Wireless Environments •Change the default WEP keys •Change the default passwords on access points 3. Device Configurations •One primary function per server •Only required services are enabled •Systems are hardened 4. Admin access to devices: •Console access should be authenticated •Non-console access should be strongly encrypted. Eg. SSH •No Telnet
1. Storage •Protect Stored Card Number •Do not store CVV or Track Data 2. Retention Period • Define business period for retention •Review stored cardholder data every quarter •Remove obsolete data 3. Key Management • Generate Strong keys •Store keys securely •Distribute keys securely •Change keys at the end of their lifetime
1. Encrypt card numbers sent over the Internet, Wireless networks, GPRS, GSM • SSH, SSL/TLS, IPSec are acceptable 2. Never send unprotected card numbers over E-mail or chat
1. Scope • All Windows systems must have AV 2. AV should be •On •Updated •Running periodic scans • Getting automatic updates 3. AV Logs •At AV server end •At AV client end •Retained as per the 3 months-1 year rule
1. Patch Management •Latest patches on all systems •Deploy Critical patches in 30 days •Risk Ranking •Refer to external sources for vulnerabilities 2. Application Development •Code Review •Change Management 3. Custom Code Should Address • SQL Injection •Buffer Overflow •Cross Site Scripting •Cross Site Request Forgery, etc 4. Public Facing Applications •WAF or •Application VA annually
1. Assigning Access to CHD •Job related need •Approval mechanism for access 2. Implementing Access to CHD • Automated access control system •Default deny-all setting
1. Password Requirements •History, Lifetime, Length, Complexity, 2. Account Lockout, Forgot Password • Password Reset Process
1. CCTV Recordings 2. Access Card Logs 3. Visitor Management 3. Media Management
1. Every system and network component has to have logs 2. Things that must be logged: •Access to CHD •Admin activities •Access to logs •Use of authentication mechanisms •Initialization of logs •Creation/deletion of system level objects 3. Log Retention •3 months – 1 year rule 4. NTP 5. FIM on logs
1. VA •Internal VA •External VA by an ASV •Every quarter 2. PT •Internal PT •External PT •Annually 3. Wireless Scans 4. IDS/IPS 5. FIM High Med Low
1. Risk Assessment • Formal methodology • Eg. ISO 27005, NIST SP 800-30, OCTAVE, etc. 2. HR •Recruitment •Background checks •NDA •Awareness •ID creation/deletion •Termination 3. Acceptable Usage Policy 4. Operational Security Policy 5. Information Security Policy 6. Service Providers 7. Incident Management
PCI DSS 3.0
Dates •PCI DSS 3.0 will be published on 7 November 2013 •Version 3.0 becomes optional from 1 January 2014 onwards •Version 2.0 will remain active until 31 December 2014
1. Updated Network Diagram 2. Updated Hardware Inventory
1. AV is required on Non-Windows based systems also
1. Update list of application vulnerabilities as per OWASP, NIST, SANS, etc.
1. Security Requirements for Authentication Mechanisms Other than Passwords • Tokens • Smart Cards
1. More Stringent Requirements for Penetration Testing
1. Maintain a list of service providers and what services they offer 2. Service providers should maintain their applicable PCI Requirements 3. Risks pertaining to service providers
Thank You

Recommandé

Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceAlgoSec
 
AWS Security Fundamentals: Dos and Don’ts
AWS Security Fundamentals: Dos and Don’tsAWS Security Fundamentals: Dos and Don’ts
AWS Security Fundamentals: Dos and Don’tsAlgoSec
 
ManageEngine EventLog Analyzer v7. 2
ManageEngine EventLog Analyzer v7. 2ManageEngine EventLog Analyzer v7. 2
ManageEngine EventLog Analyzer v7. 2Ragavan Seetharaman
 
Cisco aci and AlgoSec webinar
Cisco aci and AlgoSec webinar Cisco aci and AlgoSec webinar
Cisco aci and AlgoSec webinar Maytal Levi
 
Create and Manage a Micro-Segmented Data Center – Best Practices
Create and Manage a Micro-Segmented Data Center – Best PracticesCreate and Manage a Micro-Segmented Data Center – Best Practices
Create and Manage a Micro-Segmented Data Center – Best PracticesAlgoSec
 
EventLog Analyzer - Product overview
EventLog Analyzer - Product overviewEventLog Analyzer - Product overview
EventLog Analyzer - Product overviewManageEngine EventLog Analyzer
 
Putting the Sec into DevOps
Putting the Sec into DevOpsPutting the Sec into DevOps
Putting the Sec into DevOpsMaytal Levi
 
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...AlgoSec
 

Recommandé

Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceAlgoSec
 
AWS Security Fundamentals: Dos and Don’ts
AWS Security Fundamentals: Dos and Don’tsAWS Security Fundamentals: Dos and Don’ts
AWS Security Fundamentals: Dos and Don’tsAlgoSec
 
ManageEngine EventLog Analyzer v7. 2
ManageEngine EventLog Analyzer v7. 2ManageEngine EventLog Analyzer v7. 2
ManageEngine EventLog Analyzer v7. 2Ragavan Seetharaman
 
Cisco aci and AlgoSec webinar
Cisco aci and AlgoSec webinar Cisco aci and AlgoSec webinar
Cisco aci and AlgoSec webinar Maytal Levi
 
Create and Manage a Micro-Segmented Data Center – Best Practices
Create and Manage a Micro-Segmented Data Center – Best PracticesCreate and Manage a Micro-Segmented Data Center – Best Practices
Create and Manage a Micro-Segmented Data Center – Best PracticesAlgoSec
 
EventLog Analyzer - Product overview
EventLog Analyzer - Product overviewEventLog Analyzer - Product overview
EventLog Analyzer - Product overviewManageEngine EventLog Analyzer
 
Putting the Sec into DevOps
Putting the Sec into DevOpsPutting the Sec into DevOps
Putting the Sec into DevOpsMaytal Levi
 
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...AlgoSec
 
The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...
The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...
The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...ManageEngine EventLog Analyzer
 
2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)AlgoSec
 
User activity monitoring with SysKit
User activity monitoring with SysKitUser activity monitoring with SysKit
User activity monitoring with SysKitSysKit Ltd
 
Migrating Application Connectivity and Network Security to AWS
Migrating Application Connectivity and Network Security to AWSMigrating Application Connectivity and Network Security to AWS
Migrating Application Connectivity and Network Security to AWSAlgoSec
 
Radically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertificationRadically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertificationAlgoSec
 
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solution
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solutionAlgosec 5 more_things_you_can_do_with_a_security_policy_management_solution
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solutionMaytal Levi
 
Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Maytal Levi
 
What's New in EventLog Analyzer - Log Management Software
What's New in EventLog Analyzer - Log Management SoftwareWhat's New in EventLog Analyzer - Log Management Software
What's New in EventLog Analyzer - Log Management SoftwareManageEngine EventLog Analyzer
 
CSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert HoitinghCSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert HoitinghNCCOMMS
 
Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...AlgoSec
 
Kaseya connect 2013: Leveraging the power of Kaseya Network Monitor
Kaseya connect 2013: Leveraging the power of Kaseya Network MonitorKaseya connect 2013: Leveraging the power of Kaseya Network Monitor
Kaseya connect 2013: Leveraging the power of Kaseya Network MonitorKaseya
 
Put out audit security fires, pass audits -every time
Put out audit security fires, pass audits -every time Put out audit security fires, pass audits -every time
Put out audit security fires, pass audits -every time AlgoSec
 
WSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2
 
compliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinarcompliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinarAlgoSec
 
End user-experience monitoring
End user-experience monitoring End user-experience monitoring
End user-experience monitoring Site24x7
 
Ace
AceAce
AceWill Storey
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLpqrs1234
 
Security Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlSecurity Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlAlgoSec
 
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentA Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentAlgoSec
 
Tips and tricks for Testing Micro-Services
Tips and tricks for Testing Micro-ServicesTips and tricks for Testing Micro-Services
Tips and tricks for Testing Micro-ServicesThoughtworks
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWSCloudHesive
 
Information Assurance for Accountant 2007
Information Assurance for Accountant 2007Information Assurance for Accountant 2007
Information Assurance for Accountant 2007Donald E. Hester
 

Contenu connexe

Tendances

The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...
The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...
The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...ManageEngine EventLog Analyzer
 
2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)AlgoSec
 
User activity monitoring with SysKit
User activity monitoring with SysKitUser activity monitoring with SysKit
User activity monitoring with SysKitSysKit Ltd
 
Migrating Application Connectivity and Network Security to AWS
Migrating Application Connectivity and Network Security to AWSMigrating Application Connectivity and Network Security to AWS
Migrating Application Connectivity and Network Security to AWSAlgoSec
 
Radically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertificationRadically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertificationAlgoSec
 
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solution
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solutionAlgosec 5 more_things_you_can_do_with_a_security_policy_management_solution
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solutionMaytal Levi
 
Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Maytal Levi
 
What's New in EventLog Analyzer - Log Management Software
What's New in EventLog Analyzer - Log Management SoftwareWhat's New in EventLog Analyzer - Log Management Software
What's New in EventLog Analyzer - Log Management SoftwareManageEngine EventLog Analyzer
 
CSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert HoitinghCSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert HoitinghNCCOMMS
 
Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...AlgoSec
 
Kaseya connect 2013: Leveraging the power of Kaseya Network Monitor
Kaseya connect 2013: Leveraging the power of Kaseya Network MonitorKaseya connect 2013: Leveraging the power of Kaseya Network Monitor
Kaseya connect 2013: Leveraging the power of Kaseya Network MonitorKaseya
 
Put out audit security fires, pass audits -every time
Put out audit security fires, pass audits -every time Put out audit security fires, pass audits -every time
Put out audit security fires, pass audits -every time AlgoSec
 
WSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2
 
compliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinarcompliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinarAlgoSec
 
End user-experience monitoring
End user-experience monitoring End user-experience monitoring
End user-experience monitoring Site24x7
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLpqrs1234
 
Security Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlSecurity Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlAlgoSec
 
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentA Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentAlgoSec
 
Tips and tricks for Testing Micro-Services
Tips and tricks for Testing Micro-ServicesTips and tricks for Testing Micro-Services
Tips and tricks for Testing Micro-ServicesThoughtworks
 

Tendances (20)

The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...
The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...
The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...
 
2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)
 
User activity monitoring with SysKit
User activity monitoring with SysKitUser activity monitoring with SysKit
User activity monitoring with SysKit
 
Migrating Application Connectivity and Network Security to AWS
Migrating Application Connectivity and Network Security to AWSMigrating Application Connectivity and Network Security to AWS
Migrating Application Connectivity and Network Security to AWS
 
Radically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertificationRadically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertification
 
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solution
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solutionAlgosec 5 more_things_you_can_do_with_a_security_policy_management_solution
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solution
 
Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation
 
What's New in EventLog Analyzer - Log Management Software
What's New in EventLog Analyzer - Log Management SoftwareWhat's New in EventLog Analyzer - Log Management Software
What's New in EventLog Analyzer - Log Management Software
 
CSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert HoitinghCSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert Hoitingh
 
Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...
 
Kaseya connect 2013: Leveraging the power of Kaseya Network Monitor
Kaseya connect 2013: Leveraging the power of Kaseya Network MonitorKaseya connect 2013: Leveraging the power of Kaseya Network Monitor
Kaseya connect 2013: Leveraging the power of Kaseya Network Monitor
 
Put out audit security fires, pass audits -every time
Put out audit security fires, pass audits -every time Put out audit security fires, pass audits -every time
Put out audit security fires, pass audits -every time
 
WSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2 IoT Server - Product Overview
WSO2 IoT Server - Product Overview
 
compliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinarcompliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinar
 
End user-experience monitoring
End user-experience monitoring End user-experience monitoring
End user-experience monitoring
 
Ace
AceAce
Ace
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAML
 
Security Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlSecurity Change Management: Agility vs. Control
Security Change Management: Agility vs. Control
 
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentA Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
 
Tips and tricks for Testing Micro-Services
Tips and tricks for Testing Micro-ServicesTips and tricks for Testing Micro-Services
Tips and tricks for Testing Micro-Services
 

Similaire à PCI DSS in Pictures and What to Expect in PCI 3.0

Information Assurance for Accountant 2007
Information Assurance for Accountant 2007Information Assurance for Accountant 2007
Information Assurance for Accountant 2007Donald E. Hester
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Computer system validations
Computer system validations Computer system validations
Computer system validations Saikiran Koyalkar
 
Application_security_Strategic
Application_security_StrategicApplication_security_Strategic
Application_security_StrategicRamesh VG
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the CloudAmazon Web Services
 
Introducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentIntroducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentPrecisely
 
Security on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupSecurity on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupCloudHesive
 
Security on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupSecurity on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupCloudHesive
 
Monitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityMonitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityPrecisely
 
Cloud computing and innovations
Cloud computing and innovationsCloud computing and innovations
Cloud computing and innovationsSPIN Chennai
 
Jsm computer solutions
Jsm computer solutionsJsm computer solutions
Jsm computer solutionsJason Mast
 
PCI 3.0 and penetration testing
PCI 3.0 and penetration testingPCI 3.0 and penetration testing
PCI 3.0 and penetration testingMarcus Dempsey
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleRochester Security Summit
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hackingDesmond Devendran
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applicationskanimozhin
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudCloudHesive
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessJoAnna Cheshire
 
ISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply ChainsISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply ChainsJim Bugwadia
 

Similaire à PCI DSS in Pictures and What to Expect in PCI 3.0 (20)

Security on AWS
Security on AWSSecurity on AWS
Security on AWS
 
Information Assurance for Accountant 2007
Information Assurance for Accountant 2007Information Assurance for Accountant 2007
Information Assurance for Accountant 2007
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Computer system validations
Computer system validations Computer system validations
Computer system validations
 
Application_security_Strategic
Application_security_StrategicApplication_security_Strategic
Application_security_Strategic
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
 
Introducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentIntroducing Assure Security Risk Assessment
Introducing Assure Security Risk Assessment
 
Security on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupSecurity on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition Meetup
 
Security on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupSecurity on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition Meetup
 
CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016
 
Monitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityMonitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and Security
 
Cloud computing and innovations
Cloud computing and innovationsCloud computing and innovations
Cloud computing and innovations
 
Jsm computer solutions
Jsm computer solutionsJsm computer solutions
Jsm computer solutions
 
PCI 3.0 and penetration testing
PCI 3.0 and penetration testingPCI 3.0 and penetration testing
PCI 3.0 and penetration testing
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hacking
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applications
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public Cloud
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your Business
 
ISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply ChainsISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply Chains
 

Dernier

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 

Dernier (20)

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 

PCI DSS in Pictures and What to Expect in PCI 3.0

  • 1. www.sisainfosec.com Praveen Joseph Vackayil CISSP, PCI QSA, CCNA, ISO 27001 LA, MS, BE
  • 3. SISA Consulting PCI DSS •PCI QSA Validation Services (PCI-DSS) •PCI ASV Scanning Services (PCI-DSS) •PCI Assurance Services (SAQ) PA DSS •PA QSA Validation Services (PA-DSS) Advisory •Risk Assessment (IS-RA) •Privacy and Standards Compliance (ISO 27001, GLBA, HIPAA, DPA, COBITFISMA, BS 25999) •Application Pen Test and Code Review •Network VA and Pen Test •Forensics Training •CPISI – PCI DSS Implementation •CISRA – Risk Assessment Implementation •OCTAVE (SEI-CMU) Security Risk Assessment Workshop •ISO 27001 Implementation Workshop •Business Continuity Management Workshop •Secure Coding in Dot-Net •Awareness Sessions Products •SISA Security Assistant Compliance Management Tool for •PCI DSS •HIPAA •FFIEC •FISMA •ISO 27001 •Application Security
  • 4. •SISA Information Security Pvt Ltd, Asia •SISA Information Security Inc., Americas •SISA Information Security WLL, EMEA Consulting– Training –Products Customers in 25 Countries About SISA Our customers are some of the world’s biggest Banks, Merchants, IT, BPOs and Telecoms
  • 6.
  • 7. 1. Network Diagram •Formal •Comprehensive 2. Network Device Administration •Change Management •Console Connections •Remote Connections 3. Network Device Maintenance: •Business Justifications •Firewall Rule Review every 6 months 4. Placement of Firewalls: •Between Internet and DMZ •Between DMZ and Internal Network 5. Configuration of Firewalls: •Stateful Inspection •Filtering Traffic between Internal and External network •NATting for internal IP Addresses
  • 8. 1. No Defaults •Username: administrator, system, cisco, infosys •Password: 0000, 1234 2. Wireless Environments •Change the default WEP keys •Change the default passwords on access points 3. Device Configurations •One primary function per server •Only required services are enabled •Systems are hardened 4. Admin access to devices: •Console access should be authenticated •Non-console access should be strongly encrypted. Eg. SSH •No Telnet
  • 9. 1. Storage •Protect Stored Card Number •Do not store CVV or Track Data 2. Retention Period • Define business period for retention •Review stored cardholder data every quarter •Remove obsolete data 3. Key Management • Generate Strong keys •Store keys securely •Distribute keys securely •Change keys at the end of their lifetime
  • 10. 1. Encrypt card numbers sent over the Internet, Wireless networks, GPRS, GSM • SSH, SSL/TLS, IPSec are acceptable 2. Never send unprotected card numbers over E-mail or chat
  • 11. 1. Scope • All Windows systems must have AV 2. AV should be •On •Updated •Running periodic scans • Getting automatic updates 3. AV Logs •At AV server end •At AV client end •Retained as per the 3 months-1 year rule
  • 12. 1. Patch Management •Latest patches on all systems •Deploy Critical patches in 30 days •Risk Ranking •Refer to external sources for vulnerabilities 2. Application Development •Code Review •Change Management 3. Custom Code Should Address • SQL Injection •Buffer Overflow •Cross Site Scripting •Cross Site Request Forgery, etc 4. Public Facing Applications •WAF or •Application VA annually
  • 13. 1. Assigning Access to CHD •Job related need •Approval mechanism for access 2. Implementing Access to CHD • Automated access control system •Default deny-all setting
  • 14. 1. Password Requirements •History, Lifetime, Length, Complexity, 2. Account Lockout, Forgot Password • Password Reset Process
  • 15. 1. CCTV Recordings 2. Access Card Logs 3. Visitor Management 3. Media Management
  • 16. 1. Every system and network component has to have logs 2. Things that must be logged: •Access to CHD •Admin activities •Access to logs •Use of authentication mechanisms •Initialization of logs •Creation/deletion of system level objects 3. Log Retention •3 months – 1 year rule 4. NTP 5. FIM on logs
  • 17. 1. VA •Internal VA •External VA by an ASV •Every quarter 2. PT •Internal PT •External PT •Annually 3. Wireless Scans 4. IDS/IPS 5. FIM High Med Low
  • 18. 1. Risk Assessment • Formal methodology • Eg. ISO 27005, NIST SP 800-30, OCTAVE, etc. 2. HR •Recruitment •Background checks •NDA •Awareness •ID creation/deletion •Termination 3. Acceptable Usage Policy 4. Operational Security Policy 5. Information Security Policy 6. Service Providers 7. Incident Management
  • 20. Dates •PCI DSS 3.0 will be published on 7 November 2013 •Version 3.0 becomes optional from 1 January 2014 onwards •Version 2.0 will remain active until 31 December 2014
  • 21. 1. Updated Network Diagram 2. Updated Hardware Inventory
  • 22. 1. AV is required on Non-Windows based systems also
  • 23. 1. Update list of application vulnerabilities as per OWASP, NIST, SANS, etc.
  • 24. 1. Security Requirements for Authentication Mechanisms Other than Passwords • Tokens • Smart Cards
  • 25. 1. More Stringent Requirements for Penetration Testing
  • 26. 1. Maintain a list of service providers and what services they offer 2. Service providers should maintain their applicable PCI Requirements 3. Risks pertaining to service providers